What price cyber risk?

What did make a difference was how seriously institutions took the spirit of regulation: those banks, for example, which saw Basel II as an annoyance to be satisfied so they could get on with banking were more likely to fail.

"Many companies are 'compliant' but not that many properly understand and prepare for the real risks."
Andrew Cornell, Managing Editor

Those which saw Basel II as a contribution to better understanding their risk characteristics in the process came to run safer banks.

We are now in a similar situation with cyber security. Many companies are 'compliant' but not that many properly understand and prepare for the real risks.

I moderated an event in Hong Kong last week put on by ANZ which brought together four experts in cyber security from very diverse backgrounds.

On the panel was General Michael Hayden, a former director of the Central Intelligence Agency (CIA) and former director of the National Security Agency (NSA) who is currently a principal at the Chertoff Group and a distinguished visiting professor at the George Mason University School of Public Policy.

Alongside the general were Paul Scanlan, President of Business & Network Consulting at Huawei Technologies, Pierre Noel , chief security officer and advisor for Microsoft in Asia and Guy Boyd, ANZ's Global Head of Financial Crime.

While the telecoms and technology event was closed, the speakers offered a range of public insights, the most compelling of which was it is not possible to stop cyber attacks penetrating an organisation. The critical issue is resilience and recovery.

Scanlan delivered an almost utopian presentation around the promise of the global digital transformation and how it will accelerate as we move through 5G and the economic centre of gravity moves east.

Think of a simple spanner, he said, today a combination of mining, manufacturing, transport, logistics, packaging and retailing. Yet it is used as a simple tool.

Imagine then the impact on each of those industries when a spanner can be printed in a 3D printer, used for its purpose, then simply recycled back into the printer. No miner, no retailer, no transport.

In a perfect piece of symmetry, he was followed by Hayden who laid out the enormity of the threats posed by cyber crime – as undertaken by nation states, criminals and unpredictable activists and rogues. Sometimes in combination.

It was both fascinating, exciting and frightening.

But a critical insight came from the audience: do banks and other providers of funding take into account vulnerability to cyber crime when making lending and investment decisions?

After all, as the massive attack on Sony by North Korea demonstrated, such attacks can be devastating. Hayden said this and similar attacks were a new front in the battle where the attackers were using their threat as coercion rather than to simply steal money or gain attention.

These threats could effectively destroy a company if they couldn't be contained.

Such a vulnerability then is a massive operational risk – but it is not, yet, priced into financing decisions. Yet clearly if there are two companies in the same industry, both of which rely on digital information and processing – and which major company doesn't? – then one with resilient systems willing to recognise cyber attacks are a ubiquitous risk is surely a better credit.

Noel added the more sobering view that even companies which believed they were “compliant" in whatever risk management systems they were using probably were not. They had simply satisfied a check list. “Compliance" he said was far too often a box ticking exercise in a battle where such systems were almost obsolete as soon as they were created.

Worse, even those systems were rarely properly understood in the organisation. He cited information classification as a prime example where many organisations, private and public, graded their information.

One such distinction was often between “confidential" and “restricted" – yet almost no one in organisations using such distinctions understood the difference.

Hayden stressed the awesome potential of the cyber world was also its danger, it could poison as well as nurture.

An historian, he likened it to the age of sail in the 15th and 16th century which brought global trade and shared innovations – but also slavery, piracy and the spread of disease. Only this age is happening at light speed not over centuries.

A friend of one of the creators of the internet, Vint Cerf, Hayden related a conversation where Cerf explained “security" was never even a thought when the project to create what turned into the internet was started. (Security was considered when designing the WWW: in the specifications submitted to CERN by Tim Berners-Lee under the heading of ‘Non Requirements’ he listed “copyright enforcement and data security”.) 

The original project was essentially about making it to share information. Hayden likened it to making it easier to cook food in a kitchen and get it into a dining room. So having a locked door between kitchen and dining room would have defeated the purpose.

Risk then, in this world inherently designed without doors, is vulnerability times consequence times threat – recognising each of the three factors is a multiplier.

In recent times, attention has been devoted to reducing vulnerability with defences like fire walls and passwords.

In the future, reducing risk will be about reducing the consequence – improving resilience, cutting the response time to an inevitable breech, sealing off breaches, maximising the time between “flash" – intrusion – and “bang" – everything is destroyed.

For all the panel, the view was this reality was dawning relatively slowly on organisations but it was dawning. Cyber risk was now being discussed by chief executives and chief operating officers and at board level.

The consequence of this new risk paradigm for cyber security is enormous and it means the line between security and privacy is constantly shifting.

Interestingly, it is also opening up rather than closing down cooperation between organisations – the CIA now uses Amazon to run its private cloud because Amazon has the expertise and the economies of scale.

This is a whole new world of risk we are living in but the question is how well is that risk being priced by the providers of capital?

Not well was the unavoidable conclusion from this event.